Friday, July 1, 2016

Another update to volatility script (SIFT3)

Added a bunch of modules I now find useful, changed how I do the timeline, and changed it for use with the SIFT workstation (vol.py rather than hardpath).

#!/bin/bash
#Simply runs a bunch of my most commonly used volatility plugins

if [ $# -lt 2 ]
then
    #I added the script to /usr/bin/memscan and gave it execute
    echo "Useage: memscan imagename profile"
else

    if [ ! -d dump ];
    then
        #The script doesn't use this folder, but I do ;)
        mkdir dump
    fi

    for plugin in pslist pstree psxview malfind hivelist dlllist connscan consoles malsysproc mimikatz autoruns prefetchparser shellbags shimcache ssdt userassist
    do

        echo "Running $plugin"
        vol.py -f $1 --profile=$2 $plugin > $plugin.txt
    done

    echo "Creating timeline"
    vol.py -f $1 --profile=$2 timeliner --output=body --output-file=timeline_body.txt
#    vol.py -f $1 --profile=$2 mftparser --output=body --output-file=mftparser.txt
    mactime -b timeline_body.txt -d -z EST5EDT > timeline.txt

    echo "Mapping strings"
    strings -a -td $1 > full_strings.txt
    strings -a -td -el $1 >> full_strings.txt # Second pass for unicode
    vol.py -f $1 --profile=$2 strings -s full_strings.txt --output-file=mapped_strings.txt
fi